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APPENDIX A 



Sample HTML Source For An SS-DHTML Document Object 



<html> 
<heaci> 

<titlex/title> 
</head> 

<body bgcolor= M #C0C0C0"> 
UJ <script Language=" JavaScriptl . 2"> 

<! — 

"J function signForm() { 

LJ var alltext = new String (document .po . Tl . value + 

I r| document .po . T2 . value + document .po. T3. value + document . po . SI . value + 

i h* document . po . T4 . value ) ; 

fL var ret; 

^% ret = document. Invisible. processlnput (document . forms [0] , 

" p alltext) ; 

E alert (ret) ; 

ru a— > ] 

</script> 

,p <em><bigXfont face="Arial Black"> 

C3 

<p>Form #1176 Purchase Order Request : </fontx/big></em> 

<APPLET Name = "Invisible" CODE = "InvisibleApplet . class " ARCHIVE = 
"invisible. jar" WIDTH = 350 HEIGHT = 350 > 
</APPLET> 

</p> 

<a href="http: //st9 : 808 0/SWBCDemos/ Forms /f ormsOnline . htm"xf ont 
face= ,, Garamond"Xstrong> 

<p align="center">I want To Return To The Main Forms Page 
</strongx/fontx/ax/p> 

<hr size= ,, 3" width="50% n align="center ,, > 

<form name="po"> 

<b><strongXbigXbig><p>Employee Name: </big></big></strong> 
</bxinput type="text" 

name= ,, Tl" size= M 30"> <br> 

<br> 

<b><s trong><big><big>Product Name : </big></bigx/strong> </bxinput 
type="text" name="T2" 
si2e="35"> <br> 
<br> 

<b><strongxbig><big>Reasons For Order : </big></big></strong> </bxbr> 
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<textarea rows="9" name="Sl" cols="38 "></textarea> <br> 
<br> 

<big><big><strong>Quantity: </strongx/bigx/big></p> 
<pxselect naitie="Dl" size="l"> 

<option selected value= M l">l</option> 

<option value="2 M >2</option> 

<option value="3">3</option> 

<option value="4">4</option> 

<option value="5">5</option> 
</select>    <big><strong>Other : (Please 
Specify) </strong></big> <br> 

                      Snbsp 
;  <input 

type="text" name="T4" size="20"x/p> 

<pxbigxbig><st rong>Price : </s trongx/bigx/bigx/p> 

<div align= ,, left"xp><input type="text" name="T3" size="20"x/p> 

</divxdiv align="center"xcenterXpXbr> 

<input type="button" value= n Submit Order" name="Bl" 

onClick="signForm( ) "> <input 

type="reset" value="Reset Fields" name="B2 "></p> 
</centerx/divXhr size="3" width="50%" align="center"> 

</forin> 

</body> 

</html> 
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Sample Java™ Signature Processing Applet For An SS- 
DHTML Document Object 



/* file - InvisibleApplet . java 
/* 

/* This is the class definition for the applet that works throught 
/* LiveConnect with the forms in the Form Signature demonstration 
/* This applet holds two responsibilites : 

/* 1 - Authenticate the user and obtain their private key 

/* 2 - Accept throught a call from a JavaScript a reference to a form 

/* object and user specific data and sign this concatenated data 

/* with the private key obtained from authentication 

/* 

/* Revision Timeline: 

/* 6/5 - 6/9 Attempted implementation of iButtons to perform authent 
/* 6/10 Decided a software implementation was a better starting point 
/* 7/14 Moved search for user's private key to method that signs data * 

/ 

import com. ms . security . *; 

import java . security. * ; 

import java.io.*; 

import j ava . util . * ; 

import j ava . net . * ; 

import com. oreilly . servlet . * ; 

import javax. crypto. *; 

import javax. crypto. spec. * ; 

import javax. crypto . spec. PBEKeySpec; 

import au.net . aba . crypto . provider . ABAProvider ; 

import au . net . aba . crypto . * ; 

import au . net . aba . security . spec . * ; 

public class InvisibleApplet extends java . applet .Applet { 

Instruct s = new Instruct () ; 
Message resul = new Messaged; 
SymAction lSymAction = null; 
Password p = new Password(); 
PrivateKey session_key = null; 
PublicKey verify_key = null; 
byte[] sig = null; 
int fails = 0; 
boolean flag = false; 

BASE64Encoder coder = new BASE64 Encoder () ; 
BASE64Decoder decoder = new BASE64Decoder ( ) ; 
String encodedPubKey = ""; 

byte[] salt = new byte [8]; 
int iterations = 20; 
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/* The initialization method of the applet. Here there*/ 
/* are two main purposes. 1: Authenticate the user */ 
/* this will be done by what ever method chosen and 2:*/ 
/* Obtain the users private key off the floppy drive. */ 

public void init ( ) { 

try { 

System, out .println ( " " ) ; 

System. out .println ( "Secure Web Based Computing Test Bed"); 
System. out . println ( "\nOnline Form System Demonstration"); 

System. out .println ("Version 4.00") ; 
System, out. println ( " \n" ) ; 

// Written solely for the Win32 VM. Since this is the init ( ) 
// method we need to assert our specified permission to the 
// call stack in order to display a window giving 
instructions 

if (Class . forName ( "com. ms . security . PolicyEngine" ) != null) { 
PolicyEngine . assert Permission ( PermissionlD. SYSTEM) ; 
} 

Security . addProvider (new ABAProvider ( ) ) ; 
resul.setSize(400,200) ; 
try { 

encodedPubKey = getParameter ( "publicKey" ) ; 

if (encodedPubKey == null) { 
s . setVisible ( true ) ; 

} 

} catch (Exception e) { 

// Set the instructions dialog box visible 
s .setVisible (true) ; 
System. out .println (e) ; 

} 

// Declare an instance of the ActionHandling class 

// And attach listeners to each of the buttons 
lSymAction = new SymAction(); 
p . buttonl . addActionListener (lSymAction) ; 
s .buttonl . addActionListener (lSymAction) ; 
resul .buttonl . addActionListener (lSymAction) ; 

} catch (Exception e) { 

System, out .println ( "Caught Exception in Applet Init():" -I- e) ; 
> 

} /* End init() V 
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/* This method added 7/14 to run the verification and */ 

/* its parameters to be obtained from the script that will*/ 

/* call it. The servlet the hands this page to the client */ 

/* will have encoded the public key in the page as a */ 

/* parameter to obtain */ 

public boolean processVerify ( String form, String client_input, 
String signature) { 

byte[] temp = null; 

byte[] tempi = null; 

byte[] sig = null; 

byte[] ser_pubKey = null; 
byte[] fin = null; 

boolean result = false; 

try { 

System. out . print In (signature ) ; • 
try { 

sig = decoder .decodeBuffer (signature) ; 
} catch (Exception e) { 

e . printStackTrace ( ) ; - 6 

} 

System. out .println ("Client input in verify: " + client_input) ; 

ser_pubKey = decoder . decodeBuffer (encodedPubKey) ; 
ByteArraylnputStream bais = new ByteArrayInputStream( ser_pubKey) 
Ob j ectlnputStream ois = new Ob j ectlnputStream (bais ) ; 
verify_key = (PublicKey) ois . readOb ject ( ) ; 

ByteArrayOutputStream baosl = new ByteArrayOutputStream ( ) ; 

PrintWriter pw = new PrintWriter (baosl ) ; 

pw. flush ( ) ; 

pw.println (form) ; 

pw. flush ( ) ; 

pw. close ( ) ; 

tempi = baosl . toByteArray ( ) ; 
BASE64Encoder be = new BASE64Encoder ( ) ; 

System. out. println("In Verify rep of form: " + be . encode ( tempi ) ) 

String concat = client_input ; 

ByteArrayOutputStream baos = new ByteArrayOutputStream () ; 
ObjectOutputStream oos = new ObjectOutputStream(new 
Buf feredOutputStream(baos) ) ; 

oos .writeOb ject (concat ) ; 

oos . close ( ) ; 

temp = baos . toByteArray () ; 

fin = new byte [ temp . length + tempi . length] ; 

System. arraycopy (temp, 0, fin, 0, temp . length) ; 

System. arraycopy (tempi, 0, fin, temp. length, tempi . length) ; 

// Declare an instance of the DSA signature class from the JCA 
Signature dsa = Signature . getlnstance ( "DSA" ) ; 
dsa. initVerify (verify_key) ; 
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dsa . update ( fin) ; 

result = dsa . verify (sig) ; 

System. out .println ( result ) ; 

) catch (Exception e) { 

System. out .println (e) ; 



return result; 
} /* end processVerif y ( ) */ 

/* Here is the workhorse method of the applet: The params */ 
/* to this applet are the reference to the, form and the */ 
/* concatenated form input as one string. This information */ 
/* will also be concatenated and signed. */ 

public String processlnput (String form, String client_input ) { 

// Declare a byte array that will eventually hold the 
/ / signature on all the data supplied to the method 
byte [ ] tmp = null ; 
byte[] tmpl = null; 
byte[] fin = null; 

String return_value = ""; 

// As an added check, determine if the private key 
// to user is null 
if (session_key == null) { 

System. out . println ( "There was a problem setting the private 



}else { 

System. out .println ( "Before try statement"); 
try { 

ByteArrayOutputStream baosl = new ByteArrayOutputStream ( ) ; 

PrintWriter pw = new PrintWriter (baosl ) ; 

pw. flush ( ) ; 

pw. println (form) ; 

pw. flush ( ) ; 

pw. close ( ) ; 

tmpl = baosl. toByteAr ray () ; 
BASE64Encoder be = new BASE64Encoder ( ) ; 

System. out. println ("In Sign rep of form: " + be . encode (tmpl) ) ; 
String concat = client_input; 

ByteArrayOutputStream baos = new ByteArrayOutputStream () ; 
ObjectOutputStream oos = new ObjectOutputStream (new 
Buf feredOutputStream(baos ) ) ; 
oos . writeObject (concat) ; 
oos . close ( ) ; 

tmp = baos . toByteArray ( ) ; 
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fin = new byte [ tmp . length + tmpl . length] ; 

System, arraycopy (tmp, 0, fin, 0, tmp . length) ; 

System. arraycopy (tmpl, 0, fin, tmp. length, tmpl . length) ; 

// Declare an instance of the DSA signature class from the JCA 
Signature dsa = Signature . getlnstance ( "SHA/DSA" ) ; 
dsa . initSign (session_key) ; 
dsa . update (fin) ; 

// And sign the input from the client 
sig = dsa. sign ( ) ; 

} catch (Exception e) { 
System, out . print In (e) ; 

} 



// In case of error where signature was not created properly 
// examine the byte array 
if (sig != null) { 

// Here the signature is fine so return it to the calling 



return_value = coder . encode ( sig) ; 
}else { 

// Here the signature was not fine so to avoid a 
Null PointerExcept ion 

// assemble a random byte array and inform the user of the 
problem 

System, out . println ( "The objects were not properly stored 
together" ) ; 

tmp = new byte[l]; 
return_value = tmp. toString ( ) ; 

} 

} 

return return_value; 
} /* End processlnput ( ) */ 

/* Action Handling Class for AWT components */ 

class SymAction implements java. awt . event . ActionListener { 

// decide which component was triggered and execute appropriate 
// handler for it 

public void actionPer formed ( java . awt . event .ActionEvent event) { 



JavaScript 



try { 



Object object = event . getSource () ; 



37 



u 



x i 

if (object == s.buttonl) { 

sButtonl_ActionPerformed( event) ; 
} 

if (object == p.buttonl) { 

pButtonl_ActionPerformed (event) ; 
} 

if (object == resul.buttonl) { 
resul . setVisible ( false) ; 

} 

} catch (NullPointerException e) { 
System. out. println(e) ; 

} 

} /* End actionPer formed () */ 
} /* End Inner class SymActionO */ 
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m /* Action Handling method for the Continue button on the */ 

ffj /* Instructions form, class Instruct */ 

/***********************************^ 

void sButtonl_ActionPerformed( java.awt .event .ActionEvent event) { 
try { 

sj=a 

\'-* // User acknowledged inserting his private key disk into floppy 

// now he wants to continue, so minimize this dialog box 
=C s . setVisible (false) ; 



// To Check and see if there is a disk in the floppy drive 
// Form a file instace of A:\. Any NullPointerException will 
// indicate that the user has not inserted a disk 
File testFile = null; 

String floppy_test = ("A:" + File. separator) ; 
testFile = new File ( f loppy_test) ; 

if ( (testFile. exists () ) == false) { 
try { 

fails++; 

s.wrappingLabell.setText ("There is no disk in the 
floppy drive, please try again"); 
s . setVisible (true) ; 
} catch (Exception e2) { 
System. out. println(e2) ; 
} 

}else { 

if (fails < 3) { 
// And present the user with a chance to enter their password 
//by showing the password dialog box 
p. setVisible (true) ; 

Jelse { 

}/* end inside else{ } */ 
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} catch (NullPointerException e) { 

// Depending on which VM is used, a file instance that does not 
exist 

// can throw a NullPointerException, so catch for it here 
// Since the above test for the floppy failed, redisplay the 
// Instruct instance will the following instructions 
try { 

s .wrappingLabell . setText ("No disk could be located in the 
floppy drive, please try again."); 
s . setVisible (true) ; 

} catch (Exception el) { 

System. out .println (el) ; 



} catch (Exception e) { 

/ / Catch all other exceptions 
System. out .println (e) ; 

} 

} /* End sButtonl_ActionPerformed () */ 

* + * + + + + * + * + + + + + *********** + *^** + ** + . sfc .. A . + ^ 

/* Action Handling method for the Password Dialog Box */ 
/* This is where the private key will be obtained from the */ 
/* floppy drive */ 

it****************************************/ 

void pButtonl_ActionPerf ormed(java. awt. event .ActionEvent event) { 
try { 

// Minimize the password dialog box 
p. setVisible (false) ; 
resul. setVisible (true) ; 

resul. textAreal . append ("Searching For Employee Information 
File. ..."); 

// Now is time to check if user inserted correct disk, 
// File where data is held is titled by username, if no file 
// Exists then a FileNotFoundException will be thrown 
String path = new 

String ( "A: "+File . separator+p . textFieldl . getText ( ) ) ; 
System. out .println ("Debug File Path" + path); 
FilelnputStream infoHandle - new FilelnputStream (path) ; 

//A valid file existed if execution reaches this point, 
begin the input 

// of the object containing the private key 
ObjectlnputStream ois = new Obj ectInputStream(inf oHandle) ; 
resul . textAreal . append ( " Done\n" ) ; 

x509 temp = null; 
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resul. textAreal. append ("Decrypting Encoded Signature 
Key. . .") ; 

// An appropriately Named Files exists on the disk, try to 
extract 

// an Instance of x509 from it 
try { 

temp = (x509) ois . readObj ect ( ) ; 
} catch (Exception el) { 
el . printStackTrace ( ) ; 

} 



// Declare the Secret Key and factory used to generate it 
KeySpec ks = new 

PBEKeySpec ( (p . textField2 . getText ( ) ) . toCharArray ( ) ) ; 
SecretKeyFactory skf = 

SecretKeyFactory. get Instance ( "PBEWithMDSAndDES " ) ; 
SecretKey key = skf . generateSecret ( ks ) ; 

// Declare the new salt to use in decryption 
byte[] salt = temp. salt; 



// Create an instance of the parameter spec to encapsulate all 
// parameters to the cipher in one class 

AlgorithmParameterSpec aps = new PBEParameterSpec (salt, 
iterations ) ; 

// Create an instance of the Cipher that will decrypt the key 
Cipher cipher = Cipher . getlnstance ( "PBEWithMDSAndDES" ) ; 

// This is a symmetric cipher so initialize it to decryption 
mode 

cipher. init (Cipher . DECRYPT_MODE, key, aps) ; 

// And decrypt it 

byte[] serialized_key = 

cipher .do Final (decoder . decodeBuffer (temp . passwd) ) ; 
resul . textAreal . append ( " Done\n" ) ; 

resul. textAreal. append ("Extracting Private Key From Decrypted 
Data ..."); 

// Extract the serialized object from the decrypted key 

ByteArraylnputStream bais = new 

ByteArrayInputStream( serial ized_key) ; 
ObjectlnputStream ois2 = new Obj ectlnputStream (new 
Buf feredlnputStream(bais) ) ; 

// And make sure it is the DSA private key 
session_key = (PrivateKey) ois2 . readOb ject ( ) ; 
resul . textAreal . append ( " Done\n" ) ; 

resul. textAreal. append ("You Many Now fill Out Your Form, to 
submit press the submit button."); 
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} catch (FileNotFoundException e) { 
try { 

// The file does not exist on the disk that the client 

// Inserted so inform the client of this. 

fails++; 

p.setVisible(false) ; 

s .wrappingLabell . setText ( "No such identification exists 
on this disk, please try again 11 ); 

// Show the alert box 
s .setVisible (true) ; 

} catch (Exception e3) { 
System. out .println (e3) ; 

} 

} catch (Exception e) { 
e . printStackTrace ( ) ; 
}/* End outermost try{}catch{} */ 
} /* End pButtonl_ActionPerf ormed( ) */ 
} /* End InvisibleApplet ( ) */ 
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